Have you ever wonder how to do like in secret agent movies : they knock the door with a secret sequence and the door opens! You can do it with your server too! (or RasPi ;)
##Prepare your firewall
edit /etc/iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept local network traffic, change your home network if needed
-A INPUT -s 192.168.1.1/8 -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
#-A INPUT -p tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
To activate these rules on boot, edit /etc/network/if-pre-up.d/iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
##Setup Knockd on the server
apt-get install knockd
And put that in /etc/knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -D INPUT -j REJECT;/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT;/sbin/iptables -A INPUT -j REJECT;
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Set it to start at boot, edit /etc/default/knockd
(...)
START_KNOCKD=1
(...)
And start the daemon :
/etc/init.d/knockd start
##Knock your port :
Watch iptables from your server :
watch iptables -L
Knock the door of your server from your workstation TocTocToc :
wget http://www.zeroflux.org/proj/knock/files/knock-macos.tar.gz
tar xvzf knock-macos.tar.gz
server_ip=...
username=...
./knock $server_ip 7000 8000 9000 #open your ssh port
ssh $username@$server_ip
./knock $server_ip 9000 8000 7000 #close your ssh port
and enjoy!
For other clients, check this page : http://www.zeroflux.org/projects/knock/
##Setup your router
Don’t forget to let your router give access to your ssh port and the one used for knocking.
##Security concern
I advise you to drop the packets on the router side, and also on your firewall (iptables). If not, it’s quiet easy, based on the response packet to see the ports opened, and try them in different order (based on the response, mac adress..). If you know how to drop packets on your firewall, you can share it with me on the comments.
But your ssh is well protected with an own generated key, and doesn’t allow password authentication, right?
##PS
A Physical PortKnock http://www.engadget.com/2009/11/04/secret-knock-door-lock-defends-home-from-rhythmically-impaired/
The firewall part is mainly inspired from http://wiki.debian.org/iptables